Personal access tokens

You can request a Personal Access Token from the API section in the Contentful Web App. You’ll need access to the Content Management API to generate one.

By default, tokens created by users are not automatically authorized for every organization they belong to. If token authorization enforcement is activated for an organization, users must manually authorize each token before it can be used.

To authorize a token:

1. Go to your Personal Access Tokens list.

2. Click Authorize next to the organization you want the token to access.

3. If the org enforces SSO, you'll be prompted to authenticate before authorization is completed.

This added step ensures tokens are only active where they are intentionally linked.

Yes. All users, including org owners, are subject to SSO enforcement by default.

Previously, org owners were automatically exempt from SSO enforcement. However, enterprise customers flagged this as a security risk. In response:

• New organizations enforcing SSO will have no default exemptions, including for owners.

• Admins can manually exempt specific users, such as break-glass accounts, from SSO enforcement.

• Existing customers will retain their current exemptions temporarily via a migration script, but can opt into enforcing SSO for all users.

To change exemptions, go to your SSO settings and manage user access individually.

As an admin, you can deauthorize tokens to revoke their access to your organization—without removing the user or revoking the token entirely.

How to deauthorize a token:

1. Go to the CMA tokens admin view.

2. Select one or more tokens.

3. Click Deauthorize.

The token remains active for any other orgs it is authorized for. Upon deauthorization:

• The token owner is notified.

• All org admins and owners that deauthorized tokens are notified as a safety precaution.

This gives you fine-grained control over token access without disrupting users or workflows in other orgs.

When you create a personal access token, we recommend that you set an expiration for your token. Upon reaching your token's expiration date, it is automatically revoked. Adding an expiration date increases your organization's ability to secure how your data is accessed.

Content Management API tokens are just like passwords. Anyone getting it could use it to use Contentful on your behalf so you should make your best to protect them. Typical measures you would need to take include referring to environment variables as much as possible, and adding to your VCS ignore list any file where a token is mentioned to ensure such couldn’t be leaked.

NOTE: You cannot set an expiration date on existing tokens. 

To add an expiration date on a Personal Access Token, you must create a new token. Click the Create personal access token button at the top right corner of the CMA tokens page. In the modal, enter the name of the new token and choose an expiration date from the dropdown. Click Generate to create the new token.

When a token is approaching expiration, individuals who created the token will receive email notifications with guidance on how to create a new token. However, tokens with an expiration time of less than 1 day will not receive an email notification.

When creating a personal access token, an expiration should be set for your token. Upon reaching your token's expiration date, it is automatically revoked. Expiration dates increase your organization's ability to secure how your data is accessed and ensure proper maintenance of your tokens.

This highly varies depending on your use case. OAuth apps allow other users to authenticate against Contentful in order for your app to use the issued token as part of its process. Personal Access Tokens are personal, which means that they are tied to a single Contentful user account. This makes Personal Access Tokens good candidates for development, as well as automation purposes, when an application does only require a single Contentful account to manage content.

Inherently none, as both are tokens to access the Contentful Content Management API. They are both tied to the user who requested it, hence have access to the very same organisations, spaces and content as the token’s owner.

The difference is more conceptual: with OAuth, you authorize an app to talk to Contentful on your behalf, and might not ever see the credentials that the app uses; on the other hand, with Personal Access Tokens you are in charge of asking for the credentials to the API, and subsequently managing them.

Because they provide an easy way to work with our Content Management API, and are a widespread standard used across well-known organisations and services (such as Github, for example).